CVE-2026-35665

MEDIUM

OpenClaw < 2026.3.24 - Denial of Service via Feishu Webhook Pre-Auth Body Parsing

Title source: cna

Description

OpenClaw before 2026.3.24 contains an incomplete fix for CVE-2026-32011 where the Feishu webhook handler accepts request bodies with permissive limits of 1MB and 30-second timeout before signature verification. An unauthenticated attacker can exhaust server connection resources by sending concurrent slow HTTP POST requests to the Feishu webhook endpoint, blocking legitimate webhook deliveries.

References (2)

[Third Party Advisory] https://github.com/openclaw/openclaw/security/advisories/GHSA-w6m8-cqvj-pg5v

[Third Party Advisory] https://www.vulncheck.com/advisories/openclaw-denial-of-service-via-feishu-webhook-pre-auth-body-parsing

Scores

CVSS v3 5.3

EPSS 0.0008

EPSS Percentile 22.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-405

Status published

Products (4)

npm/openclaw 0 - 2026.3.24npm

OpenClaw/OpenClaw < 2026.3.24

openclaw/openclaw < 2026.3.24

OpenClaw/OpenClaw 2026.3.24

Published Apr 10, 2026

Tracked Since Apr 10, 2026